Tech Details of HID's Mercury Upcoming "Black" Boards
With HID's Mercury EOLing its widely used "red" boards in the next few months, questions have been raised about why and how the new "black" boards will differ.
This report, based on Mercury partner documents we obtained, we examine the rationale for discontinuing the "red" boards, including security issues, and the technical details of the "black" boards.
This is a developing issue, and we will continue to update this report and release new ones as we gather more information or others come forward to share. If you have any additional information or would like to share, please email jermaine@ipvm.com.
Executive *******
* ***** ******* *******'* ********* ******** confirm *** ******** "*****" ****** ******* various ************ ******** ****** / ************ in *** "***" *****, ********* *** addition ** ****** ****, *** *.*, etc., *** ***** ** * *********** amount ** ******** ********** "*****" ** "red" ****** **** *** ****** ********** to **** **** / *************** *** are ****** ** ****** ********** ** not ******** / *******.
*** ******** ** ************* (****** ****, TLS *.*, ***.) *** *** "*****" boards *** * **** ******* ******** to *** "***" ******. *******, ** updates *** *** ********** / *******, they *** ****** ** ** *********** to **** / *************** ** *** future, *** ** ********* ******* ** up-to-date / *****, ***-********** ********.
*** ***** ** "***" ******, ** recommend *** ****** **** ******* *** up ** **** *** ****** **** / ** ******** ** ****** ** support *** ******** "*****" ****** **** available *** **** *** ****** *** use **** ** ****** ******* ******** / ******* ****** ***** ** ***** provider *** ***.
************, ******* ******* ********* ******** ******* the ******** "*****" ****** **** ******* swappable ********** **** **** "****" ******* areas ********* / *******'* *********.
**** ******** / ******** ** ********* modules **** *** "*****" ****** ***** they **** **** ******** ************* *** aims ** ******** **** ******** ** the ******. ****** *** / *******'* shortages ********** *** ** *** ******* of *"*" *****, ***** **** ********* ******* ********** to ******* *** ***-***** ** ***-**** lead *****.
Structural ******** ****** ************
***** *** / ****** **** **** the "*****" ****** *** *** ******* to ***** ******* ******** ****** / vulnerabilities, *** *******'* ************* ************ ***************:
["*****" *****] *********** ***** ******* ************* hardening. ["*****" *****] *********** *** ***** Secure ******** ** *** ************** **** from ** *****, ***** ******* * function ****** ****** ****. ****** **** ensures **** *** ********** **** ***** using ******* ********. ****, *** ["*****" board] *********** *** ***** * ********** embedded ***** ******* **** ** ******* to *** *.* *** ******** ********, dropping ***** ************* ********, ***reducing ******* *** ***************. Additionally, a bigger processor, more memory, and more resources will allow more features in the future. [emphasis added]
***** ****** *** *.* *** ****** Boot ** *** ***** / ***, it ** * **** ******* **** the ******** ******** *** *** *** / ******* **********, ********** *** ********** TLS *.* *** *** *** *.* versions.
** ****, *** ******** "*****" ****** do ****** ******* ******** ****** / vulnerabilities **** *** / *******'* "***" or "*****" *********** *** *********** **, and **** ************, **** **** **** not **** ******** ********** / ******* or ******** ** *** *****.
*** ****, ******** ****** ************* ******** - *****.***, Brivo, ***, *******, ****, ********, ***, Verkada.
Mitigating ****** ****** ***** *********
************, *** "*****" ****** **** ********* components **** *** ** *********** / *******'* **** *********** *** * *** ***** ***, expanding:
["*****" ****** ****] ******** *** ********* resiliency ****lessons ******* **** ****-***** ****** ***** *********, the ["black" board] controllers are designed to accommodate two different component-level power supply circuits, and two different component-level Ethernet Phy circuits. These two areas were the core component shortage areas in 2021-2022.
***** **** *** * *********** ***** for *** / *******, ***** ****** many ****** ************ ** *** / ********** *** ********* ** *******"*" ******, **** ******** *** ********* ********** shows **** *** ** ****** **** do *** ********* ******** ****** ** the ******. *******, *** **** **** works ******* ** ** ****.
Risks ** ***** *** ** ******* *** "***" ******
* *********** **** *** **** *** users ** *** ***** *** ** support *** ***** "***" ******. *** example, **** ******'* ******* **** **** provide ******* ***** ******** ** ****:
[*** "***" *****] *********** **** ** receiving ******** ******* ***** ******** ****.
**** ** *********** *** **** ********* as *********** ** ****** ******* *******(*** ******) *** ******* **** *** of ******* **** *** **** **** the ***** *** ******. **** ***** are ** ****** ***** ******* / patched, ********* **** ** ***** **** either ***** ********* ***** ******* ** accepting **** **** ** ********** / susceptible ** *******.
10-Year **** **** ***** ************
********* ** ****, *** ******** "*****" boards *** ******** ** **** **-****-**** lifecycle ************:
*** ********** **** **** **** ****** for *** ["*****" *****] *********** **** at ***** * **-**** *********. **** means **** ****** ** *********** ** launching ** *** ***** *** ** its *********'* **********.
** *********** ** ****** ******* ****** **************** *****, *** ******* ******** ** Access ******* ** **** ******* **** that ** ~** *****.
Some ******* **** **** ******* "****** ****" **** ** ******
***** ****** ****** *** *** ****** / ******* / ******** **** *** will ******* *** ******** "*****" ****** at *******, ** **** **** **** support **** ** "****** ****," *********** seeing / ********** **** *********, ** a "***" *****:
** ****** ****, * ["*****" *****] controller **** ****** ** *** **** platform ** ** ** ** * ["red" *****] **********. **** ****** ***** versions [**] ****** "***" ***** *********** to *** ["*****" *****] *********** *** expansion ** *** ******. *** *** think ** ****** **** ** ** impersonation - ["*****" *****] ** ************* a ["***" *****] **********.
** ********, ******* ******* **** **** they **** ** ***** *********** *** supported **** ********:
** ** *** ****, *** ******* for *** ** ***** ["*****" *****] is *****. ** **** ********* *** code ** ***** ** ** *****, so **** ** ** ********* ** can ** ******* ** ** ** MP *****.
More *********** ** ***********
*** ***** **** *** ********* *** not *********** ** *** ************* *** the ********* ****** *** *** ***** application *********** ********:
- **** ****** *********, ********* *** **** badge ******** / **** ******* ***** storage.
- ******* *** ************ *********** *******.
***** ******** ***** ***** *** ********** developments ** ******** / *********. *******, the ******** ******** / ********** **** are *** *********, ** ** ****** expand ** **** ********* ********** **** will ****.
Quick ***** *** ** "*** ******" ***** ***** ******
***** ** *** ************* ** **** seen / ************* **** ********, **** are ****** ** ****** ***** ** the "***" ****** *** ***** ********* / ********, **** **** ******* ******** about ******* ****** ** ********* *** partners *** ** ** "***** **" and **** "******."
** ****, *** ******* ************* **'** obtained ********** ****** ** ****** ** May ***, ****, *** ********** ********:
- ******** / *** *** ****** *** equipment/project *****/****** ** ["*****" *****" ***********.
- ****** *** *, **** ** *** orders ****** **** [*********** *******] *** guaranteed ********, ******** *** ** ********* out ** **** ****.
****, * ******* / ****** ***** of ***** / ******** ***** *********** in ********* ** **** (****** ***** not ** ******** *** *******'* ********). As ****, ** ****** **** (** not ***) ******** ** *********** ******* timelines / ***** *************** ** ***** dealers / *********.
*******, **** ******* ************* *********** ** or **** *** ****** ** *** "red" ****** ******* *** ** ***, as ******* (** **** *****, ** not *******) **** ******* ***** ** ramping ** ********** ** *** ******** "black" ******. ** ** ***** *** any ****** ** *** "*****" ****** reaching ********** / ********** ******, ***** could ***** ****** *** *** ******** / ******** ********.
** ****, **** **** ******** ** closely ****** *** ********* ** / when ** ***** / ******** *** information ** ***** *** *********** *******.
No ******* *******
***** **** ** *** ****** ******* saying ******* ** ********* **** *** previous "***" ******, ******* *********** *** their *** ******* *** ********* / installs, ***., *** ******* ** ****** to **** ** **** ** ******* / *******, ***.
** *** ******* ** **********, *** not **-**** ** ** *******, ******* of ******* *** * ****** ** equipement?
**** ** **** ************ ** *** firmware ** ******* / ***********, *** regardless ** *** ****** ** ***********, a *********** ****** ** ***** ****** are ******* *******, ** ****** ***** have ** **** ** **** ***** for ******** ********. ******* ******** ****** such ********, *** *** *** *********** are ******* / ******* ******* ** a ***** ****** ** ******* ****.
**** ** *** ** *** **** cloud-managed ****** **** ********** ***** ** end-of-support **** (* **** *** ******* of *** ******** ********* ***), *** they *** ************* ****** ** ****** / **** ******* *** ****** ** the **** ******* ******* (***** *** end ** *******).
** *******, * ***** *** **** End ** **** ***** ** ******** incorrect. **'* **** ** ** *** of *****, ** **** ******* *** the ******* ****** ******* ******** ********* that *** *** ** ****** ****** will ******** *******, ** *** **** of ******* ** ***** ***** **** be ******** ******* ***** ****. ***** is ** *********** ** ************* ********* published **** ***** ******* *********** ** the ** (***) ****** ** ******** as ** ***. *** ******* ******** has ******* *** *** ************ ******** changes **** **** ******* *** ******** of *** ***** *** ********* ******** on ***** *********.
**** *** * ****** *** ******** vendor **** **** ******* ******** *** indicated *** ******* **** ** *** of *******, **** ******** ***** *** exact ********, ******* ** *** ****** points ***.
** *** ********'* ******* ** ********* secure, ** ** *** ***** ** no **** ********** ***** ******, **** the ********* ** * *** *********** of ***** ********* ****** *** *** outdated ******* ** ***.
*******, ****** *** ******** *** ******** where **** **** ** *** *** hardware, ***** ** ** **** ** concern. *** ******* ***** *** ** that ***** **** ** * ********** switch, ******* **** *** *** ** stock ** *** *** ****** ****** they **** ******** ********** ********** ** the *** ***** ****.
* ** *** **** **** ** is ********** *** ** ***-**** ** change * *** ***** ** *** cyber-security ******** *** *** **-**-****. ** the ******* ** **********, *** *** up-date ** ** *******, ******* ** pushing *** * ****** ** **********? When *** *** ***** ** ********* or **********, **** ** ***-**** *** change. *** ********/** **** ****** ***** hardware ****** - ********** **** ******* to **********, ***** *** ******* - which ***** ** ** *** "*****" board *******.
********** **** ******** ***'* **** *** news. * ***-****/****** *** ****** ********?
*** ** ******* **** *** "******-**********/**** to *** ********" **** ** ********* electronics **** ******* **** ** ******** car *********?
*** ***** ****** ** *******'*, *** a ******'* ******** *** ****** *** adequately ******* *** ******* ********. ********** should *** *********** * ****** ****. "Smells" **** ***** ****** ********** ** the ******* ** *********.
******* ************ ***** *****. ** ***** is * **** ** ******* ** an ************ **** ** *********, ** like **** *************: ******.
** ****.